Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Provide service accounts tokens to extensions #9618

Merged
merged 31 commits into from
Sep 22, 2023
Merged

Provide service accounts tokens to extensions #9618

merged 31 commits into from
Sep 22, 2023

Conversation

stephen-crawford
Copy link
Contributor

@stephen-crawford stephen-crawford commented Aug 29, 2023
edited
Loading

Description

This PR implements service account issuance and passing for extensions. This change adds a new transport action which passes the extension a string representation of its service account auth token. This token is created by the TokenManager interface implementation. The token is expected to be an encoded basic auth credential string which can be used by the extension to interact with its own system index.

As part of this change, the ExtensionManager will now take an instance of the IdentityService as part of its construction. This change was made so that the service account token could be generated inside of the class using a call to the token manager. Without passing the IdentityService it was not possible to get the implementation of the TokenManager required to generate the ServiceAccountToken.

Related Issues

Resolves #[Issue number to be closed when this PR is merged]

This issue resolves: opensearch-project/security#3176

Check List

  • New functionality includes testing.
    • All tests pass
  • New functionality has been documented.
    • New functionality has javadoc added
  • Commits are signed per the DCO using --signoff
  • Commit changes are listed out in CHANGELOG.md file (See: Changelog)

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

stephen-crawford and others added 2 commits August 29, 2023 09:26
@stephen-crawford
Add transport action
eee8b01 
Signed-off-by: Stephen Crawford <steecraw@amazon.com>
@stephen-crawford
Merge branch 'opensearch-project:main' into issueSA
f568e03
@stephen-crawford
Update changelog
3bdc4e4 
Signed-off-by: Stephen Crawford <steecraw@amazon.com>
@stephen-crawford
Update changelog
6b7849f 
Signed-off-by: Stephen Crawford <steecraw@amazon.com>
@github-actions
Copy link
Contributor

github-actions bot commented Aug 29, 2023
edited
Loading

Compatibility status:

Checks if related components are compatible with change 8ca2b87

Incompatible components

Incompatible components: [https://github.com/opensearch-project/k-nn.git]

Skipped components

Compatible components

Compatible components: [https://github.com/opensearch-project/security-analytics.git, https://github.com/opensearch-project/security.git, https://github.com/opensearch-project/custom-codecs.git, https://github.com/opensearch-project/opensearch-oci-object-storage.git, https://github.com/opensearch-project/index-management.git, https://github.com/opensearch-project/geospatial.git, https://github.com/opensearch-project/sql.git, https://github.com/opensearch-project/notifications.git, https://github.com/opensearch-project/job-scheduler.git, https://github.com/opensearch-project/observability.git, https://github.com/opensearch-project/neural-search.git, https://github.com/opensearch-project/cross-cluster-replication.git, https://github.com/opensearch-project/alerting.git, https://github.com/opensearch-project/performance-analyzer.git, https://github.com/opensearch-project/anomaly-detection.git, https://github.com/opensearch-project/performance-analyzer-rca.git, https://github.com/opensearch-project/ml-commons.git, https://github.com/opensearch-project/asynchronous-search.git, https://github.com/opensearch-project/common-utils.git, https://github.com/opensearch-project/reporting.git]

@github-actions
Copy link
Contributor

Compatibility status:

Checks if related components are compatible with change 3bdc4e4

Incompatible components

Skipped components

Compatible components

@peternied peternied changed the title Implement service account issuance and fetching for extensions Provide service accounts tokens to extensions Sep 20, 2023
peternied
peternied reviewed Sep 20, 2023
View reviewed changes
Copy link
Member

@peternied peternied left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just minor cleanup, then should be ready to merge - much smaller change good work @scrawfor99

server/src/main/java/org/opensearch/extensions/ExtensionsManager.java Outdated Show resolved Hide resolved
server/src/main/java/org/opensearch/node/Node.java Show resolved Hide resolved
server/src/main/java/org/opensearch/extensions/ExtensionsManager.java Outdated Show resolved Hide resolved
CHANGELOG.md Outdated Show resolved Hide resolved
stephen-crawford and others added 2 commits September 21, 2023 10:01
@stephen-crawford
final changes
0415f58 
Signed-off-by: Stephen Crawford <steecraw@amazon.com>
@stephen-crawford
Merge branch 'opensearch-project:main' into issueSA
64b689a
@github-actions
Copy link
Contributor

Gradle Check (Jenkins) Run Completed with:

@github-actions
Copy link
Contributor

Gradle Check (Jenkins) Run Completed with:

@peternied
Merge branch 'main' into issueSA
8ca2b87 
Signed-off-by: Peter Nied <petern@amazon.com>
@peternied
Copy link
Member

@scrawfor99 Waiting on CI to complete since merge conflicts were resolved

@github-actions
Copy link
Contributor

Gradle Check (Jenkins) Run Completed with:

@github-actions
Copy link
Contributor

Gradle Check (Jenkins) Run Completed with:

@github-actions
Copy link
Contributor

Gradle Check (Jenkins) Run Completed with:

  • RESULT: UNSTABLE ❕
  • TEST FAILURES:
      1 org.opensearch.snapshots.CloneSnapshotIT.testCloneShallowSnapshotIndex
      1 org.opensearch.index.shard.RemoteIndexShardTests.testRepicaCleansUpOldCommitsWhenReceivingNew

@github-actions
Copy link
Contributor

Gradle Check (Jenkins) Run Completed with:

  • RESULT: UNSTABLE ❕
  • TEST FAILURES:
      1 org.opensearch.action.admin.cluster.node.tasks.ResourceAwareTasksTests.testTaskResourceTrackingDuringTaskCancellation

@stephen-crawford
Copy link
Contributor Author

@peternied should be all set :D

@peternied peternied merged commit 994e115 into opensearch-project:main Sep 22, 2023
13 checks passed
@peternied peternied deleted the issueSA branch September 22, 2023 14:21
@peternied
Copy link
Member

@scrawfor99 Could you make sure all the flaky test have issues or file new ones, this was a rough go of things

@stephen-crawford
Copy link
Contributor Author

Will do

sarthakaggarwal97 pushed a commit to sarthakaggarwal97/OpenSearch that referenced this pull request Sep 24, 2023
@stephen-crawford @owaiskazi19
@peternied @sarthakaggarwal97
Provide service accounts tokens to extensions (opensearch-project#9618)
8cdab01 
Provide service accounts tokens to extensions

This change adds a new transport action which passes the extension a string representation of its service account auth token. This token is created by the TokenManager interface implementation. The token is expected to be an encoded basic auth credential string which can be used by the extension to interact with its own system index.

Signed-off-by: Stephen Crawford <steecraw@amazon.com>
Signed-off-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com>
Signed-off-by: Peter Nied <petern@amazon.com>
Co-authored-by: Owais Kazi <owaiskazi19@gmail.com>
Co-authored-by: Peter Nied <petern@amazon.com>
brusic pushed a commit to brusic/OpenSearch that referenced this pull request Sep 25, 2023
@stephen-crawford @owaiskazi19
@peternied @brusic
Provide service accounts tokens to extensions (opensearch-project#9618)
bed318d 
Provide service accounts tokens to extensions

This change adds a new transport action which passes the extension a string representation of its service account auth token. This token is created by the TokenManager interface implementation. The token is expected to be an encoded basic auth credential string which can be used by the extension to interact with its own system index.

Signed-off-by: Stephen Crawford <steecraw@amazon.com>
Signed-off-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com>
Signed-off-by: Peter Nied <petern@amazon.com>
Co-authored-by: Owais Kazi <owaiskazi19@gmail.com>
Co-authored-by: Peter Nied <petern@amazon.com>
Signed-off-by: Ivan Brusic <ivan.brusic@flocksafety.com>
@stephen-crawford stephen-crawford mentioned this pull request Oct 2, 2023
Closed
6 tasks
DarshitChanpura pushed a commit to DarshitChanpura/OpenSearch that referenced this pull request Oct 2, 2023
@stephen-crawford @DarshitChanpura
Provide service accounts tokens to extensions (opensearch-project#9618)
a302af4 
Provide service accounts tokens to extensions

This change adds a new transport action which passes the extension a string representation of its service account auth token. This token is created by the TokenManager interface implementation. The token is expected to be an encoded basic auth credential string which can be used by the extension to interact with its own system index.

Signed-off-by: Stephen Crawford <steecraw@amazon.com>
Signed-off-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com>
Signed-off-by: Peter Nied <petern@amazon.com>
Co-authored-by: Owais Kazi <owaiskazi19@gmail.com>
Co-authored-by: Peter Nied <petern@amazon.com>
(cherry picked from commit 994e115)
vikasvb90 pushed a commit to vikasvb90/OpenSearch that referenced this pull request Oct 10, 2023
@stephen-crawford @owaiskazi19
@peternied @vikasvb90
Provide service accounts tokens to extensions (opensearch-project#9618)
c735f79 
Provide service accounts tokens to extensions

This change adds a new transport action which passes the extension a string representation of its service account auth token. This token is created by the TokenManager interface implementation. The token is expected to be an encoded basic auth credential string which can be used by the extension to interact with its own system index.

Signed-off-by: Stephen Crawford <steecraw@amazon.com>
Signed-off-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com>
Signed-off-by: Peter Nied <petern@amazon.com>
Co-authored-by: Owais Kazi <owaiskazi19@gmail.com>
Co-authored-by: Peter Nied <petern@amazon.com>
@RyanL1997 RyanL1997 mentioned this pull request Nov 1, 2023
Merged
8 tasks
RyanL1997 pushed a commit to RyanL1997/OpenSearch that referenced this pull request Nov 1, 2023
@stephen-crawford @owaiskazi19
@peternied @RyanL1997
Provide service accounts tokens to extensions (opensearch-project#9618)
83e80d7 
Provide service accounts tokens to extensions

This change adds a new transport action which passes the extension a string representation of its service account auth token. This token is created by the TokenManager interface implementation. The token is expected to be an encoded basic auth credential string which can be used by the extension to interact with its own system index.

Signed-off-by: Stephen Crawford <steecraw@amazon.com>
Signed-off-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com>
Signed-off-by: Peter Nied <petern@amazon.com>
Co-authored-by: Owais Kazi <owaiskazi19@gmail.com>
Co-authored-by: Peter Nied <petern@amazon.com>
@RyanL1997 RyanL1997 mentioned this pull request Nov 1, 2023
Closed
8 tasks
peternied added a commit that referenced this pull request Nov 2, 2023
@RyanL1997 @stephen-crawford
@peternied @owaiskazi19
[Backport 2.x] Service accounts and on-behalf-of authentication in 2.x (
f1df1cd 
#11052)

* Implement on behalf of token passing for extensions (#8679)

* Provide service accounts tokens to extensions (#9618)

This change adds a new transport action which passes the extension a string representation of its service account auth token. This token is created by the TokenManager interface implementation. The token is expected to be an encoded basic auth credential string which can be used by the extension to interact with its own system index.

* Cherry pick #10614 and #10664

Signed-off-by: Stephen Crawford <steecraw@amazon.com>
Signed-off-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com>
Signed-off-by: Ryan Liang <jiallian@amazon.com>
Signed-off-by: Peter Nied <petern@amazon.com>
Co-authored-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com>
Co-authored-by: Peter Nied <peternied@hotmail.com>
Co-authored-by: Owais Kazi <owaiskazi19@gmail.com>
Co-authored-by: Peter Nied <petern@amazon.com>
@BrewTestBot BrewTestBot mentioned this pull request Feb 21, 2024
Merged
shiv0408 pushed a commit to Gaurav614/OpenSearch that referenced this pull request Apr 25, 2024
@stephen-crawford @owaiskazi19
@peternied @shiv0408
Provide service accounts tokens to extensions (opensearch-project#9618)
8aa919b 
Provide service accounts tokens to extensions

This change adds a new transport action which passes the extension a string representation of its service account auth token. This token is created by the TokenManager interface implementation. The token is expected to be an encoded basic auth credential string which can be used by the extension to interact with its own system index.

Signed-off-by: Stephen Crawford <steecraw@amazon.com>
Signed-off-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com>
Signed-off-by: Peter Nied <petern@amazon.com>
Co-authored-by: Owais Kazi <owaiskazi19@gmail.com>
Co-authored-by: Peter Nied <petern@amazon.com>
Signed-off-by: Shivansh Arora <hishiv@amazon.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cwperks cwperks cwperks left review comments

@owaiskazi19 owaiskazi19 owaiskazi19 approved these changes

@dbwiddis dbwiddis dbwiddis approved these changes

@peternied peternied peternied approved these changes

@reta reta Awaiting requested review from reta reta is a code owner

@anasalkouz anasalkouz Awaiting requested review from anasalkouz anasalkouz is a code owner

@andrross andrross Awaiting requested review from andrross andrross is a code owner

@Bukhtawar Bukhtawar Awaiting requested review from Bukhtawar Bukhtawar is a code owner

@CEHENKLE CEHENKLE Awaiting requested review from CEHENKLE CEHENKLE is a code owner

@dblock dblock Awaiting requested review from dblock dblock is a code owner

@gbbafna gbbafna Awaiting requested review from gbbafna gbbafna is a code owner

@setiah setiah Awaiting requested review from setiah

@kartg kartg Awaiting requested review from kartg

@kotwanikunal kotwanikunal Awaiting requested review from kotwanikunal kotwanikunal is a code owner

@mch2 mch2 Awaiting requested review from mch2 mch2 is a code owner

@nknize nknize Awaiting requested review from nknize nknize is a code owner

@Rishikesh1159 Rishikesh1159 Awaiting requested review from Rishikesh1159 Rishikesh1159 is a code owner

@ryanbogan ryanbogan Awaiting requested review from ryanbogan

@saratvemulapalli saratvemulapalli Awaiting requested review from saratvemulapalli saratvemulapalli is a code owner

@shwetathareja shwetathareja Awaiting requested review from shwetathareja shwetathareja is a code owner

@dreamer-89 dreamer-89 Awaiting requested review from dreamer-89

@tlfeng tlfeng Awaiting requested review from tlfeng

@VachaShah VachaShah Awaiting requested review from VachaShah VachaShah is a code owner

@sachinpkale sachinpkale Awaiting requested review from sachinpkale sachinpkale is a code owner

@sohami sohami Awaiting requested review from sohami sohami is a code owner

@msfroh msfroh Awaiting requested review from msfroh msfroh is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Issue and ferry a Service Account Token to an Extension on bootstrap
5 participants
@stephen-crawford @peternied @dbwiddis @owaiskazi19 @cwperks